Proof that the data was safe at a particular point in time is rarely a concern for most organizations implementing security controls. There are many other areas believed to be more important. Hence, the focus is mostly on protecting information by assessing and mitigating risk associated with its loss. Part of this emphasis involves auditing access to systems in various ways, to have a record and hopefully get notified when security incidents occur. Unfortunately, auditing access to the data itself (files, databases), is rarely a priority. While the auditors accept this general approach, lack of information when it comes to which files were accessed and by whom, can turn against you in the case of a security incident.
Somewhere at the confluence between HIPAA Security Rule and HIPAA Privacy Rule, lays a less known implication, according to which a presumed security incident without any proof that data was NOT affected, must be reported as any other definite data breach. Consequently, the entity finding itself in this situation undergoes the same process as an entity suffering a clear and proven data breach:
Some degree of confusion exists around the topic, as initially the need to report a breach was only enforced when there was proof that data was affected. However, starting with the update “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act” on January 25th, 2013:
Impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
Example of how lack of proof triggers a breach report
The security incident at Valley Anesthesiology and Pain Consultants (VAPC) is an example of such situation. In this case, there was a presumed security incident without any proof that data was affected, but was still reported under HIPAA, as neither evidence that the data was not affected could be found.
On June the 13th 2016, the management learned about a possible security incident occurring on March the 30th, whereby an external attacker has gained access to critical computer systems. The company has hired forensic investigators who did not find any evidence that the data on these systems was compromised. Nevertheless, since neither proof that the data was untouched could be found, VAPC has started notifying affected persons and made an official report on August 11, 2016. Over 882,000 customers and all employees were considered affected by this incident.
TEMASOFT FileMonitor, our file monitoring software, offers detailed data access auditing functionality enabling healthcare companies to:
TEMASOFT offers this functionality for FREE for up to two workstation PCs, for personal use.
Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.
References:
http://www.valley.md/securityupdate
https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
This post was last modified on August 21, 2023 7:27 am
In the digital world, information is often stored and transferred through files. From the most…
Introduction Data security is more important than ever in today's fast-paced digital world. One critical…
Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…
Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…
File tracking is an important aspect of server administration, and it can help administrators detect…
File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…